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Abstract. The Algebraic Eraser (AE) is a cryptographic primitive that can be 
used to obscure information in certain algebraic cryptosystems. The Colored Burau 
' Key Agreement Protocol (CBKAP), which is built on the AE, was introduced by 

I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux ^ in 2006 as a protocol suitable 
for use on platforms with constrained computational resources, such as RFID and 
wireless sensors. In 2009 A. Myasnikov and A. Ushnakov proposed an attack on 
CBKAP [7] that attempts to defeat the generalized simultaneous conjugacy search 
^ , problem, which is the public-key computational problem underlying CBKAP. In this 

paper we investigate the effectiveness of this attack. Our findings are that success 
of the attack only comes from applying it to short keys, and that with appropriate 
keys the attack fails in 100% of cases and does not pose a threat against CBKAP. 
Moreover, the attack in [7] makes assumptions about CBKAP that do not hold 
■<!::j- ' in practical implementations, and thus does not represent a threat to the use of 

CBKAP in applications. 
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^ ■ 1. Introduction 

1.1. In [Ij I. Anshel, M. Anshel, D. Goldfeld, and S. Lemieux propose a key agree- 
ment protocol intended for use on low-cost platforms with constrained computational 
resources. Such platforms typically arise in radio frequency identification (RFID) 
^ ■ networks and wireless sensor networks. The protocol is built on the Algebraic Eraser 

. (AE), a cryptographic primitive that disguises information in many algebraic cryp- 

tosystems, such as those built on conjugation problems in braid groups. For more 
details, including a formal description of the AE, we refer to [TJ §2]. 

The security of the AE is based on the hardness of the generalized simultaneous 
conjugacy search problem (GSCSP) which can be described as follows. Suppose G is 
a group and {X) is a property potentially satisfied by elements of G (i.e., elements 
satisfy property {X) if and only if they satisfy certain identities in G). Then given 
Vii ■ ■ ■ iVn ^ the associated GSCSP is to find elements 2;, oi, . . . , a„, such that 
Hi = zttiZ"^ for all i and the Oj satisfy (X). Note that GSCSP is a broader problem 
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than the simultaneous conjugacy search problem where the elements ai, . . . ,0^ are 
known and there is no specified property (X). 

As an example implementation of a protocol based on the AE, the authors of [1] 
present the Colored Burau Key Agreement Protocol (CBKAP). The algebraic struc- 
ture underlying this protocol is the braid group -B^, and an essential part of CBKAP 
is a trusted third party (TTP) algorithm that chooses secret data in We give 
this data in detail in ^ and for now only mention that the TTP chooses a secret 
element z G — the conjugator — and uses it to produce finite lists of conjugates 
{Vi}, {Wi} C Bn- These sets are made available for the protocol's users. As shown 
in [H §6], knowledge of z allows one to break CBKAP. If both sets {V^i}, {VFj} are 
published, the security of CBKAP relies on the assumed difficulty of recovering z 
from these sets. This is an instance of the GSCSP. 

1.2. In ^ A. Myasnikov and A. Ushnakov present an attack on CBKAP that relies 
on both sets of conjugates {V^}, {Wi} being known. Instead of trying to determine z, 
they try to find an alternative element ( that can play the role of z in the attack in 
PQ §6]. They also heuristically analyze the difficulty of finding (, and make the claim 
that they can recover the secret conjugator in all instantiations of the TTP at the 
security levels proposed in pQ. 

1.3. In this paper, we report on tests we performed with the attack in [7]. We tested 
the attack on randomly generated TTP data at a variety of security parameters. We 
also tested some of the heuristic assumptions in [7J that form the core of the attack. 

We found that for suitable choices of the parameters, the attack fails in 100% of 
cases. More precisely, for low TTP data length, the attack in [7] is indeed successful 
in recovering z, and thus in breaking CBKAP. However, as lengths increase, the 
attack becomes far less successful and eventually fails in 100% of all cases. We also 
found that some of the heuristics underlying their attack are too optimistic when 
word lengths become long, as one would find in a typical deployment of CBKAP in 
a constrained computational setting. 

Our tests suggest that the apparent power of the attack in [7] comes from using 
it against poorly chosen TTP data, in particular against braid words that are short. 
Moreover, with appropriate TTP data the attack poses no threat against CBKAP, 
even for data leading to small public/private key sizes that may be successfully de- 
ployed in low cost platforms with constrained computational resources. 

1.4. Finally, we also remark that [7] uses heavily the assumption that both sets 
{Vi}, {Wi} are known to the attacker. Indeed, this assumption can be found in |T]. 
However, in most practical implementations of CBKAP this will not be the case. For 
example, see where it is shown that the AE version of the El Gamal public key 
encryption algorithm |1] requires only one of the sets {V^}, {Wi} to be made public. 
In this case, the attack in [7] cannot even be apphed, and thus fails completely. 
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2. The TTP algorithm and the attack 

2.1. Let Bn be the braid group on n strands. We denote the Artin generators by 
Si, . . . , Sn-i] they satisfy the defining relations SjSj+iSj = Sj+iSjSj+i and SiSj = SjSi if 
\i — j\ > 1. Let A be the half-twist (si . . . . . . Sn-2) ■ ■ ■ (■SiS2)si, whose square 

generates the center of B^- 

To set up an instance of CBKAP, the TTP performs the following algorithm: 

(1) Choose a freely reduced word z in the generators Si and their inverses. 

(2) Choose two subgroups Ba, Bb C Bn that are mutually commuting: ah = ha 
for all a G Ba, h G Bb- 

(3) Choose 2A^ words f 1, . . . , f^v G Ba and wi, . . . , W]^ G Bb, and form the con- 
jugates ZViZ~^ , . . . , ZV]<qZ~^ , ZWiZ~^, . . . , ZWnZ~^. 

(4) Fori = 1,...,A^: 

(a) compute the left normal form [5J of Vi and reduce the result modulo A^; 

(b) let Vi be a braid word corresponding to the element obtained in fHa|) : 

(c) compute the left normal form of Wi and reduce the result modulo A^; 

(d) let Wi be a braid word corresponding to the element obtained in ( Hell . 

The lists {Vi} and {Wi} are made available to the implementers of CBKAP, and 
the element z is kept secret. The fundamental computational problem to break the 
protocol is the following: Given the lists {Vi}, {Wi} of disguised (rewritten using the 
braid relations) conjugates, find z and the original words {fj}, {wi}. If one knows z, 
then an attack on CBKAP was already described in [H §6]. 

2.2. Now we turn to the attack in which begins with the following observation. 
To break CBKAP using the strategy in [H §6], it is not necessary to know the original 
words Vi, . . . ,W]sf, which were chosen from a specific pair of mutually commuting 
subgroups of Bn- In fact, to apply [U §6] one only needs to find some way to produce 
conjugates of the published lists that lie in mutually commuting subgroups. This leads 
to the following computational problem, which the authors of [7] call the simultaneous 
conjugacy separation search problem (SCSSP): Given the published lists {Vi},{Wi}, 
find an element ( and integers pi, ■ ■ ■ ,Pn, Qi, ■ ■ ■ ,(1n such that the two sets {Wi} = 
{A'^P^C^WiC \ i = 1,...,N} and {v'^} = {A'^i^C^VC \ i = 1, . . . , N} are subsets of 
mutually commuting subgroups of Bn- The element ( is then applied in the linear 
attack described in [H §6], in which it plays the role of the conjugator z. Of course 
the original z and exponents of A^ used in the normal form reduction in steps fl4ap . 
( Hc|) will solve the SCSSP, but there could be other choices that work as well. 

Thus the attack falls naturally into two steps: 

(1) Determine the exponents Pi, Qi- 

(2) Determine the conjugator C- 

Both steps rely heavily on a function \-\a'- Bn — the approximate length function- 
This function, originally defined in [8] , serves as a replacement for the geodesic length 
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/: — )• Z in the Cayley graph of i?„. We discuss this function more below, and for 
now explain how it is used in attack. 

2.3. We begin with step (1). Let X be any element from the published lists of 
disguised conjugates. We want to find the associated exponent p of that should 
be applied with X to solve the SCSSP. Consider the set of integers 

(1) {lA^^XlJjGZ}. 

We assume that the set ([1]) attains a minimum at some integer p. This is our desired 
exponent for X. We repeat the procedure for all Vi and Wi. 

2.4. After finding all the exponents Pi, . . . , (Jtv, the next step (2) is finding C^. To 
explain how this is done, we need more notation. Let x = (xi, . . . , xtv) be a tuple 
of words in S„. Let |x|a = ^ \xi\a be the total approximate length of x. For any 
w E Bn let x"' = {w~^xiw, . . . , w'^xnw). 

Now suppose we have two tuples x, y that we know a priori can be conjugated into 
two commuting subgroups. Put C = 1- We consider simultaneous conjugation of x, y 
by generators, and how the total approximate length of the tuples x, y change. In 
other words, for each cr G {sf^, . . . , let 5o- be defined by 

6^ = |x"|„ + |y"|„- (|x|„+ |y|„). 

If 6o- > 0, then conjugation by a makes the tuples x, y longer overall, and so a should 
not appear on the end of a reduced expression for (. On the other hand, if 6^^ < 0, 
then conjugation by cr represents progress towards constructing (. We replace ( with 
(a, replace x, y with x'^,y'^, and repeat the process if x'^,y'^ are not supported on 
mutually commuting subgroups. A variation of this procedure keeps track of the 
sequence ai, (72, . . . and uses backtracking to try more possibilities for (. 

3. The approximate length function 

3.1. A key role in the attack is played by the approximate length function | ■ \a, 
originally defined in [8]. To explain it we need more notation. 

Let w E Bnhe represented by a reduced expression ■ ■ ■ Sj^. The main generator 
of w in this expression is the generator sj such that j is the minimal subscript ik 
appearing in the expression. A word is Dehornoy reduced if its main generator does 
not appear simultaneously with its inverse P]. Typically there are many Dehornoy 
reduced expressions representing w, but one can write a deterministic program to 
produce a unique one. Following [3], one can further use the reduction procedure to 
produce a fully reduced word. Such a word is also Dehornoy reduced, but satisfies 
additional properties that tend to make it substantially shorter than the original 
word. We assume this has been done, and let D{w) be the full reduction of w. 
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3.2. The idea behind computing \w\a is to produce a word w' equivalent to w using a 
combination of full reduction and right conjugation by A. The latter affects a reduced 
expression w = s^'^^ ■ ■ ■ s^^ by replacing each generator Sj by its "complement" Sn-f 

:= A~^wA = 4"-ii, ■ ■ ■ 

The algorithm to compute \w\a works as follows. We begin by putting wq = w and 
i = 0. Let the word length of z be denoted \z\. Then we apply the sequence 

(1) Increment i and put Wi = D{wi^i). 

(2) If \wi\ < then 

(a) put Wi = and 

(b) goto Step [H 

(3) Otherwise, 

(a) if i is even output w' = wf^^, 

(b) if i is odd output w' = lyj+i. 

The output is a word w' equivalent to w with \w'\ < \w\. Finally we define \w\a to 
be \w'\. In practice, for instance as implemented in [B], one does not repeat (l)-(2) 
until \wi\ > \wi-i\, but instead iterates a fixed number of times. 

The authors of [7j claim that | ■ |a approximates the geodesic length / well enough 
so that two key properties hold. First, they claim that for generic tuples x and words 
w, we have |x"'|a > |x|a. Next, they claim that | ■ \a approximately satisfies the 
triangle inequality. Namely, we have |w|a+ I^U > \wu\a for generic words w,u. Both 
properties play a key role in the heuristic justifying the attack on the TTP algorithm. 

4. Tests and findings 

4.1. Our tests naturally split into two topics. First we tested features of the ap- 
proximate length function, in particular how well the computation of | ■ |a shortens 
words compared to full reduction, as well as how well the approximate length function 
satisfies the triangle inequality. Next we tested the attack against the TTP algorithm 
for a variety of randomly generated TTP data. 

All algebraic computations with braid groups — including randomly generating braid 
words, the implementation of the attack in [7j, and the computation of the approxi- 
mate length function | ■ \a — were performed using the C++ library crag written by 
the authors of [7J , and distributed through the Algebraic Cryptography Group at the 
Stevens Institute of Technology. The code is freely available on the internet [6J. 

4.2. Approximate length function: reduction. In these tests we fixed a braid 
group Bn, then generated many freely reduced words w of various lengths and com- 
puted |w|a/|D(w)|. The results for the groups Bs, Biq, . . . , B,^s are plotted in Figure 
[H each data point represents 100 trials. 

We found that when lengths of random generated initial words w are short relative 
to the rank n, the function \w\a is essentially the length |Z}(w)| of the full reduction 
D{w) of w. On the other hand, when the length of the initial word increases, the ratio 
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|w|a/|D(w)| drops quickly, even more rapidly as the number of strands is increased. 
As the length increases even more, it appears that the ratio stabilizes 
to a constant. The data for Bg may suggest that this constant is asymptotically 1. 
Thus it appears that full reduction combined with conjugation by A can be used to 
produce rather short words, at least for a certain range of initial lengths depending 
on the index. 

We also checked how well | ■ |a performed before and after applying Thurston left 
normal form Tlnf to a long freely reduced word. This normal form, described in 
can be used to prove automaticity of the braid group. For a randomly chosen 
freely reduced word w representing an element of the braid group, the word Tlnf(w) 
is generally much longer than w. We found that the approximate length function is 
relatively insensitive to passing through Tlnf, and in particular \w\a is very close to 
I Tlnf (ti?) I a in most cases. 
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Figure 1 . Approximate length compared with length of full reduction 
in various braid groups. 

4.3. Approximate length function: triangle inequality. Next we checked how 
well the approximate length function satisfies the triangle inequality > \xy\a- 

We considered the same sequence of braid groups as in §4.21 After fixing Bn, we 
generated many freely reduced words x, y of the same length, and then computed 
the relative error 100 ■ {\xy\a — {\x\a + \y\a))/\xy\a- The results are shown in Figure |2i 
Again each data point shows the average over 100 trials; the horizontal axis represents 
the length of the randomly chosen x, y. 

Thus Figure |2] shows the average relative error between \xy\a and |x|a + |?/|a. If 
this quantity is negative, then the inequality holds on average, and if positive, then 
|a^|a + \y\a < \xy\a ou average. The data indicates that for short words, if the rank n is 
increased then the triangle inequality seems to hold, with \xy\a considerably smaller 
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than \x\a + \y\a on average. But if the lengths of x, y are increased, then for all ranks 
ultimately the triangle inequality fails to hold for | ■ 1^ on average. The asymptotic 
behavior is not clear. We remark that the of course the triangle inequality holds in 
all cases for the geodesic metric in the Cayley graph of -B„. 

20 
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Figure 2. Failure of the triangle inequality for | ■ |a in various braid groups. 

4.4. The attack I: sensitivity to overall length of TTP data. Next we tested 
the attack against randomly generated TTP data. We fixed the braid group Biq. As 
above each data point represents 100 trials with given parameter choices. 

First we ran a series of tests in which varied from 2 to 10; recall that the TTP 
data consists of 2A^ conjugates divided into two sets of N. In these tests the elements 
z and Vi,Wj were chosen to have approximately the same word length. The results 
are plotted in Figure [31 The data clearly shows that for small elements, i.e. when 
\z\, \vi\, \wj\ ~ 67 and thus \zViZ~^\, \zw^z~^\ ^ 200, the attack is successful in almost 
all cases, regardless of the number of conjugates. But as the lengths are increased, 
the success rate drops off quickly until the attack fails in all cases. Moreover, the 
success rate drops off more quickly as the number of conjugates is increased. 

4.5. The attack II: dependence on relative sizes of z and Vi, Wj. Next we 
ran a series of tests to investigate the performance of the attack when the lengths 
of {zViZ~^ , zWjZ~^} are fixed and approximately equal, but \z\ is very different from 
\vi\, \wj\. We fixed to be 8 and \zviZ^^\ ~ ~ 350, and considered \z\ = 
25, 50, ... , 150. These parameters were chosen because Figure [3] shows that the attack 
is successful about 15% of the time when the lengths of z, Vi, and Wj are roughly equal 
and the length of the conjugates is about 350. Hence at these lengths one can evaluate 
the performance of the attack when the relative lengths are varied. 
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The results, shown in Figure HJ indicate that increasing the length of z significantly 
hampers the success of the attack. Comparison of Figure S] with the relevant data 
point in the plot for = 8 in Figure [3] is also instructive. In the former, we have 
\z\ ~ 125, \wj\ ~ 100 with the total length of each conjugate about 350. In the 
latter when \z\ ~ 125 we have \wj\ ~ 125, so that the total length is 375. Thus the 
conjugators have the same length and conjugates are slightly longer, yet the success 
rate of the attack in the latter case is substantially lower. 




Figure 3. Performance of the attack against randomly generated 
TTP data. The ambient braid group is B\q and we show data for dif- 
ferent iV. Average length refers to word lengths of {^Vj^"^, zw^ z~^^. In 
this data the length of z is roughly equal to that of Vj, Wj. In all cases 
the attack is successful for short lengths and experiences a phase tran- 
sition to failure as lengths are increased. The rapidity of the transition 
depends on how many conjugates are used in the two sets. 



5. Conclusions and discussion 

5.1. First, the approximate length function described in |8] uses a combination of 
full reduction and conjugation by A to produce short expressions for words. It does 
appear to offer an improvement over full reduction, in that in almost all cases we 
tested it appears to produce rather short words. We conclude that this reduction 
technique can be used to produce shorter words than those from full reduction, at 
least for a set of lengths depending on the index. 

5.2. Next, the assumption that the triangle inequality holds for the approximate 
length function | ■ |a appears to be too optimistic. As the lengths of words increase, 
the triangle inequality apparently holds less and less often. The asymptotic behavior is 
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Figure 4. Investigating attack performance on short words when the 
relative lengths of z and Vi^Wj are varied. For this data we work in 
in with N = 8 and take 2\z\ + |uj|,2|2;| + \wj\ ~ 350, in Biq with 
= 8. This graph refines one data point in Figure [3] at which the 
attack is successful about 15% of the time. 

not clear from our experiments, but nevertheless some of the data (-Bie, -B24) suggests 
that the inequality might fail quite badly in the long run. 

5.3. Regarding the attack on CBKAP described in §4.4[ we find that it is success- 
ful if the words {^}, {W^i} are short, and that the claims in [7] about the data they 
tested appear valid. However, as the lengths of {Vi}, {Wi} increase, the attack quickly 
loses power, and soon fails in all instances. Furthermore, the attack does not seem 
robust against easily implemented defenses. Increasing the number of conjugates, 
for instance, causes the attack to fail at much shorter word lengths. Modifying key 
selection by varying the length of the conjugator also adversely affects the attack's 
success. Experiments also show that selecting keys more carefully — for instance, but 
applying criteria to randomly generated TTP data that go beyond length considera- 
tions alone — also quickly hampers the performance of the attack. We conclude that 
the success of the attack seems mainly to be due to it being applied to short words. 
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